Using Multifactor Authentication (MFA) to Protect Sensitive Data
Multifactor Authentication, One Step Closer to a Password-less Future
Carley Kimball, Media Specialist
6 Min Read
You’ve likely heard about Multifactor Authentication (MFA), in fact, you’ve probably interacted with it before. MFA is rapidly becoming the norm for digital credentialing and is one of the first steps companies can take to easily secure information.
MFA is defined as the process of a user or device providing two or more distinct types of proofs of control associated with a specific digital identity, to gain access to the associated permissions, rights, privileges, and memberships. Two-Factor Authentication (2FA) implies that exactly two proofs are required for a successful authentication and is a subset of MFA.
Most MFA authentication includes some combination of the following factors:
- A knowledge factor, or something you know, such as a password, a PIN or answers to security questions
- A possession factor, or something you have, such as a physical token, an authenticator app or a one-time password sent via text or email
- An inherence factor, or something you are, such as a biometric identifier like your fingerprint, voice or retina
Decades of successful attacks against single-factor authentication methods, like login names and passwords, are driving a growing large-scale movement to more secure, multifactor authentication solutions in both corporate environments and by websites everywhere. This trend is exemplified by the fact that over the last few years, the most popular websites and services, including those owned by Google, Microsoft, Facebook, and Twitter, have offered MFA solutions to their customers. Many internet sites and services now offer both traditional login name/password solutions and more secure, MFA options, according to cybersecurity company KnowBe4.
Large companies, like Google, are reporting successful defense against some common hacking attacks by moving their user base from single-factor to multi-factor authentication. MFA solutions are supported by default in the most popular operating systems, and additional MFA solutions are offered by hundreds of third-party vendors.
Cybercrime is at an all-time high and is projected to expand in scope and sophistication as we continue on the path to a more digital world. Not all cyberattacks utilize advanced technology. Oftentimes, hackers gain valuable information through simple phishing campaigns that target human reaction and emotion.
All it takes is one compromised credential or one legacy application to cause a data breach. This underscores how critical it is to ensure password security and strong authentication. There is an uptick in phishing, spear phishing, and Laser phishing attacks and account takeovers are almost invisible. KnowBe4, a leader in security awareness and training, suggests that when employees are vigilant and knowledgeable about potential vulnerabilities, it can also increase a company’s digital security overall.
By implementing MFA, common vulnerabilities can be avoided to secure your network against hackers, such as:
- Business email compromise, where an attacker gains access to a corporate email account, such as through phishing or spoofing, and uses it to exploit the system and steal money. Accounts that are protected with only a password are easy targets.
- Legacy protocols can create a major vulnerability because applications that use basic protocols, such as SMTP, were not designed to manage Multi-Factor Authentication (MFA). So even if you require MFA for most use cases, attackers will search for opportunities to use outdated browsers or email applications to force the use of less secure protocols.
- Password reuse, where password spray and credential stuffing attacks come into play. Common passwords and credentials compromised by attackers in public breaches are used against corporate accounts to try to gain access. Considering that up to 73 percent of passwords are duplicates, this has been a successful strategy for many attackers and is an easy solution.
What can you do to protect your company?
You can help prevent some of these attacks by banning the use of bad passwords, blocking legacy authentication, and training employees on phishing. However, one of the best things you can do is to just turn on MFA. By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks.
VMWare, a leading cybersecurity company, suggests these additional options for increased defense and are often required by government agencies or large enterprises.
- Smart card authentication allows access only to users who attach a physical card to the USB drive of the computer that they log in to. An example is Common Access Card (CAC) authentication. The administrator can deploy the PKI so that the smart card certificates are the only client certificates that the CA issues. For such deployments, only smart card certificates are presented to the user. The user selects a certificate and is prompted for a PIN. Only users who have both the physical card and the PIN that matches the certificate can log in.
- For RSA SecurID authentication, your environment must include a correctly configured RSA Authentication Manager. If the Platform Services Controller is configured to point to the RSA server, and if RSA SecurID Authentication is enabled, users can log in with their username and token.
Biometric Authentication is another option that is taking hold in the cybersecurity world. This security process verifies a user’s identity through unique biological traits such as retinas, irises, voices, facial characteristics, and fingerprints. These systems compare physical or behavioral traits to store, confirm, and authenticate data in a database. If both samples of the biometric data match, authentication is confirmed.
The use of Biometric Authentication is recommended whenever possible as the secure standard for account management. Both Apple and Android have taken similar measures in providing a safe and trusted method for their customers to authenticate with native and third-party applications through face and fingerprint recognition.
More Ways to Defend Against MFA Attacks
Social Defenses
- Realize nothing, including any MFA solution, is unhackable
- Integrate MFA hacking awareness into your security awareness training
- Share this data with co-workers and management
- Don’t get tricked into clicking on rogue links
- Block rogue links as much as possible
- Make sure your users know a URL is legitimate before they click, check out this Social Engineering Red Flags Checklist
Technical Defenses
- Enable REQUIRED MFA whenever possible
- Don’t use SMS-based MFA whenever possible
- Use “1:1” MFA solutions, which require client-side to be pre-registered with the server
- Use/required two-way, mutual, authentication whenever possible (ex. FIDO U2F’s Channel or Token Binding)
- Does your MFA solution specifically fight session token theft and/or malicious replays? (i.e., replay resistant)
- Can your MFA vendor’s support help be socially engineered?
- Make sure MFA vendors use secure development lifecycle (SDL) in their programming
- Make sure MFA has “bad attempt throttling” or “account lockout” enabled
- Spread factors across different “channels” or “bands” (in-band/out-band)
- Protect and audit identity attributes used by MFA for unique identification of MFA logins
- Don’t answer password reset questions using honest answers
- Encourage and use sites and services that use dynamic authentication, where additional factors are requested for higher risk circumstances
- Understand the risks of “shared secret” systems
- For transaction-based authentication, need to send user all critical details out-of-band before confirmation is transmitted/required